A recent campaign attributed to the North Korean state-sponsored threat actor Lazarus Group targeted a company in the decentralized finance (DeFi) space. The attack, investigated by NCC Group's Fox-IT in 2024, involved a multi-stage operation using social engineering and a suite of custom malware to compromise a victim's network.

Initial Infection Vector
The attack began with a social engineering approach on Telegram. The threat actor impersonated a legitimate employee of a trading company to establish contact with the target. To schedule a meeting, they utilized deceptive websites designed to mimic legitimate scheduling services like Calendly and Picktime. While the precise method of initial compromise remains undetermined, evidence suggests a potential zero-day exploit in the Chrome browser may have been leveraged to gain access.

Multi-Stage Malware Deployment
Upon establishing a foothold, the attackers deployed a sophisticated loader dubbed PerfhLoader. This loader served to install the first primary payload, PondRAT. This malware is identified as a simplified variant of a known Lazarus tool called POORRAT (also known as SIMPLESEA). PondRAT functioned as a basic remote access trojan (RAT), providing capabilities to read/write files, execute processes, and run shellcode.

To expand their control, the actors deployed a comprehensive toolkit alongside PondRAT, including:

• A screenshot utility
• A keylogger
• Tools to steal credentials and cookies from Chrome
• Mimikatz for harvesting Windows credentials
• FRPC and other proxy utilities (MidProxy, Proxy Mini) to route traffic and maintain presence

Escalation to Advanced Tools
After approximately three months of using PondRAT, the group transitioned to a stealthier malware, ThemeForestRAT, which was loaded directly into the system's memory to avoid detection. This RAT communicates over HTTPS and supports about twenty commands for extensive remote control, including file operations, command execution, shellcode injection, and network discovery.

Notably, Fox-IT analysts identified code similarities between ThemeForestRAT and RomeoGolf, a malware family historically linked to the Lazarus Group's infamous 2014 attack on Sony Pictures Entertainment.

Final Payload: A Sophisticated RAT
The final stage of the attack involved deploying the most advanced tool, RemotePE. This RAT is written in C++ and is retrieved in a complex, multi-step process involving dedicated loaders (DPAPILoader and RemotePELoader). Its sophistication suggests it is reserved for high-value targets to ensure persistent, stealthy access after the initial discovery phase is complete.

Attribution and Implications
The tactics, tools, and malware code overlap strongly attribute this campaign to the Lazarus Group. This incident highlights the group's continued evolution, their specific interest in the lucrative DeFi sector, and their methodical approach to attacks—using simpler tools for initial access and discovery before deploying more advanced, persistent payloads for long-term espionage or financial theft.